[Webmakers] Mysql database changes for state websites

Kurt Huhn Kurt.Huhn at DoIT.ri.gov
Wed Jun 20 11:55:18 EDT 2012 

Hi Chaichen,

That is partially correct.  If the existing user ID is used in an application on Soriweb that requires that the application have the ability to update the database (like a blog, or timesheet application) then it can probably be left as-is (after final determination by Security).

If the existing user ID is only used by the application on soriweb to display information, and a separate process is used to update or create new informarmation, then we will create a new user that has those permissions and modify the existing user to read-only permission.  the new user will have read-write access, and you will use that new user to perform all database maintenance.

--Kurt


>>> On 6/20/2012 at 11:40 AM, Chaichin Chen wrote:
> Hi Kurt,
>  
> Do I understand correctly that all existing user IDs to the databases on 
> Soriweb will be changed to read-only and that we need to request for new ID 
> if we are to have write access?  
>  
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Chaichin Chen     chaichin.chen at olis.ri.gov 
> Office of Library & Information Services 
> Providence, Rhode Island  
> Phone: 401-574-9307 
> Fax:401-574-9320 
> Skype: chaichinc 
>   
> http://www.olis.ri.gov  
> http://www.info.ri.gov  
>  
>  
>>>> "Kurt Huhn" <Kurt.Huhn at DoIT.ri.gov> 6/20/2012 11:00 AM >>>
>  
>  
> All, 
>  
> As you are probably aware, there was an incident a couple weeks ago  
> regarding on of the State's websites.  While that incident appeared isolated  
> and did not affect other websites, we are proactively taking steps in order  
> to mitigate any further risk of attack. 
>  
> Part of our mitigation strategy is to change any database access that  
> originates from the Statewide web server (Soriweb) to have read-only  
> permissions.  This will help prevent database corruption from malicious  
> individuals or organizations that may attempt to exploit vulnerabilities in  
> website code and user account permissions. 
>  
> We have already begun this process, and have thoroughly tested a handful of  
> websites.  By the end of the business day today, all other accounts will  
> reflect the changes we have made to the test subset.  This should not impact  
> the functionality of your websites, but it will impact your ability to update  
> your database until a new user account is created with new credentials.   
> Generally the creation of this account takes only a few moments, but it will  
> require some changes on your side to whatever process, procedure, or scripts  
> you run from internal systems to the mysql server in the DMZ. 
>  
> There are, of course, some exceptions, and those will be dealt with on an  
> individual basis.  If you have an application that is served from Soriweb,  
> uses the mysql database, and requires write (update, insert) access to your  
> database, please let me know ASAP.  The best way of getting my attention in  
> this regard is to open a Service Desk ticket, that way I can easily track  
> these requests without them getting lost in my inbox. 
>  
> Please email me with questions. 
>  
> --Kurt 
>  
>  
> --  
>  
> Kurt Huhn 
> kurt.huhn at doit.ri.gov  
> Unix, Linux, TSM, and Storage Administration 
> DOA, DoIT, State of RI  
> 50 Service Avenue 
> Warwick, RI 02886 
> 401.462.4736 
>  
>  
>  
>  
>  
> _______________________________________________ 
> Webmakers mailing list 
> Webmakers at listserve.ri.gov  
> http://listserve.ri.gov/mailman/listinfo/webmakers

More information about the Webmakers mailing list